Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

whitelist bypass through redirect to protocol-relative URL #194

Closed
jsamuel opened this issue Dec 22, 2011 · 2 comments
Closed

whitelist bypass through redirect to protocol-relative URL #194

jsamuel opened this issue Dec 22, 2011 · 2 comments

Comments

@jsamuel
Copy link
Member

jsamuel commented Dec 22, 2011

imported trac ticket
created: 2011-02-17 10:02:59
reporter: justin

Mike Cardwell discovered that !RequestPolicy does not correctly handle protocol-relative URLs in redirects. RP treats them as absolute paths relative to the origin's prepath.

Mike reported this yesterday and offered to wait until it's patched before discussing it publicly, which is much appreciated. I have a patch ready now so am making this public.

@jsamuel
Copy link
Member Author

jsamuel commented Dec 22, 2011

imported trac comment
created: 2011-02-17 10:19:52
author: justin

Fixed in r417.

The bug was the result of me forgetting about protocol-relative URLs. However, more fundamentally, I shouldn't have been writing that code by hand. This patch uses mozilla APIs instead of my own code to determine the destination URI given an origin and a destination path. I'm fairly sure I knew better at the time I wrote the original code but that I couldn't find the right mozilla API to do this.

The one uncertainty I have about this patch is that I'm not entirely sure about using URLTYPE_AUTHORITY as the urlType to pass to the new nsIStandardURL instance's init(). From what I can tell, it's a good choice. However, [https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIStandardURL#Constants the documentation] is a bit lacking.

I wish I had RP shirts so I could send Mike one.

@jsamuel
Copy link
Member Author

jsamuel commented Dec 22, 2011

imported trac comment
created: 2011-02-17 11:04:30
author: justin

For the record, this is an example of what RP would log when missing this bypass with a redirection to //127.0.0.1/:

{{{
[RequestPolicy] [WARNING] [HEADER_REDIRECT] Redirect destination is not a valid uri, assuming dest <//127.0.0.1/> from origin http://localhost/test.php is actually dest http://localhost//127.0.0.1/.

}}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant